Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
only in configuration files. Before you can define the AT-TLS policies, you must configure<br />
basic operational characteristics of the policy agent in the main configuration file. The main<br />
configuration file can contain the following statements:<br />
TcpImage Specifies a TCP/IP image and its associated image-specific<br />
configuration file.<br />
LogLevel Used to define the amount of information to be logged by the policies<br />
agent. The default value is to log only event, error, console, and<br />
warning messages.<br />
CommonTTLSConfig statement: The main configuration file can optionally contain a<br />
CommonTTLSConfig statement that identifies a shared AT-TLS policy file for all the TCP/IP<br />
stacks in your environment.<br />
Example 8-20 shows a configuration file to start the policy agent.<br />
Example 8-20 The pagent.sc59.conf file to start the policy agent<br />
LogLevel 15<br />
TcpImage TCPIP flush purge 1<br />
TTLSconfig /etc/sc59.ttls.Server.policy flush purge<br />
Before starting the PAGENT policy agent, restrict unauthorized access to the UNIX pasearch<br />
command. With this command, you see policy definitions and verify that policies are correctly<br />
defined. However, in some instances, not every user is permitted to read the policy<br />
definitions. To restrict unauthorized access to the pasearch command, a profile is defined to<br />
the RACF resource class, called SERVAUTH. The profile name can be defined by the TCP/IP<br />
stack (TcpImage) and policy type (ptype = QoS, IDS, IPSec, or TTLS).<br />
The use of wildcards in profile names is allowed as shown in bold in Example 8-21.<br />
Example 8-21 RACF commands to restrict unauthorized access to the UNIX pasearch command<br />
//PAGNACC EXEC PGM=IKJEFT01<br />
//SYSTSPRT DD SYSOUT=*<br />
//SYSTSIN DD *<br />
RDEFINE SERVAUTH EZB.PAGENT.SC59.TCPIP.* UACC(NONE)<br />
PERMIT EZB.PAGENT.SC59.TCPIP.* CLASS(SERVAUTH) -<br />
ID(MAXIM) ACCESS(READ)<br />
PERMIT EZB.PAGENT.SC59.TCPIP.* CLASS(SERVAUTH) -<br />
ID(OLIVER) ACCESS(READ)<br />
SETROPTS GENERIC(SERVAUTH) REFRESH<br />
SETROPTS RACLIST(SERVAUTH) REFRESH<br />
/*<br />
Defining and installing AT-TLS policies<br />
An AT-TLS policy configuration file contains AT-TLS rules that define a set of conditions that<br />
are compared to connections when a policy is mapped during a connection. If a rule match is<br />
found, AT-TLS transparently provides TLS protocol control for the connection based on the<br />
security attributes that are specified in the actions associated with the rule. An AT-TLS rule is<br />
defined with the TTLSRule statement, which specifies a set of conditions that are compared<br />
with the connection that is being verified by TCP/IP.<br />
Chapter 8. Security enhancements of DB2 10 for SAP solutions 129